To automatically start this stronger firewall ruleset at the proper time,
please see the end of the Section 3.4.2 section for
full details. Please make sure you make the correct "rc.firewall-iptables" to
"rc.firewall-iptables-stronger" substitutions!!

6.4.2. Stronger IP Firewall (IPCHAINS) rulesets

This section provides a more in-depth guide to using the 2.2.x firewall tool,
IPCHAINS. See above sections for IPFWADM rulesets.

This example is for a firewall/masquerade system behind a PPP link with a
static PPP address (dynamic PPP instructions are included but disabled). The
trusted interface is 192.168.0.1 and the PPP interface IP address has been
changed to protect the guilty :-). I have listed each incoming and outgoing
interface individually to catch IP spoofing as well as stuffed routing and/or
masquerading. A nything not explicitly allowed is FORBIDDEN (well.. rejected actually). If your IP MASQ box breaks
after implementing this rc.firewall-ipchains-stronger script, be sure that you
edit it for your configuration and check your /var/log/messages or
/var/adm/messages SYSLOG file for any firewall errors.

NOTE #1: --- UPDATE YOUR KERNEL ---
Linux 2.2.x kernels less than version 2.2.20 contain several different
security
vulnerabilities (some were MASQ specific). Kernels less than
2.2.20 have a few local vulnerabilities. Kernel versions less
than 2.2.16 have a TCP root exploit vulnerability and versions less than
2.2.11 have a IPCHAINS fragmentation bug. Because of these issues, users
running a firewall with strong IPCHAINS rulesets are open to possible
instrusion. Please upgrade your kernel to a fixed version.

NOTE #2: If you get a dynamically assigned
TCP/IP address from your ISP (PPP, DSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon booting. You
will either need to reload this firewall ruleset EVERY TIME you get a new IP
address or make your /etc/rc.d/rc.firewall-ipchains-stronger ruleset more
intelligent. To do this for various types of connections such as PPP or
DHCP users, please see the Section 7.8 FAQ entry for all
the details.

Please also be aware that there are several GUI Firewall
creation tools available as well. Please see Chapter 7for full
details.

Lastly, if you are using a STATIC PPP IP address, change the
"EXTIF="your.static.PPP.address"" line to reflect your address.

To automatically start this stronger firewall ruleset at the proper time,
please see the end of the Section 3.4.2 section for
full details. Please make sure you make the correct "rc.firewall-ipchains" to
"rc.firewall-ipchains-stronger" substitutions!!

With IPCHAINS, you can block traffic to a particular site using the "input",
"output", and/or "forward" rules. Remember that the set of rules are scanned
from top to bottom and "-A" tells IPCHIANS to "append" this new rule to the
existing set of rules. So with this in mind, any specific restrictions need
to come before any global rules. For example:

Using "input" rules:

Probably the fastest and most efficient method to block traffic, but this
method only stops the MASQed machines and NOT the firewall machine itself.
Of course, you might want to allow that combination.

No need for a special rule to allow machines on the 192.168.0.0/24 network to
go to 204.50.11.0. Why? It is already covered by the global MASQ rule.

NOTE: Unlike IPFWADM, IPCHIANS has only one way of coding the interfaces name.
IPCHAINS uses the "-i eth0" option where as IPFWADM had both "-W" for the
interface name and "-V" for the interface's IP address.

6.4.3. Stronger IP Firewall (IPFWADM) Rulesets

This section provides a more in-depth guide on using the 2.0.x firewall tool,
IPFWADM. See below for IPCHAINS rulesets

This example is for a firewall/masquerade system behind a PPP link with a
static PPP address (dynamic PPP instructions are included but disabled).
The trusted interface is 192.168.0.1 and the PPP interface IP address has
been changed to protect the guilty :). I have listed each incoming and
outgoing interface individually to catch IP spoofing as well as stuffed
routing and/or masquerading. Anything not explicitly allowed is
FORBIDDEN (well.. rejected, actually).
If your IP MASQ box breaks after implementing this rc.firewall-ipfwadm-stronger
script, be sure that you edit it for your configuration and check your
/var/log/messages or /var/adm/messages SYSLOG file for any firewall errors.

NOTE #2: If you get a dynamically assigned
TCP/IP address from your ISP (PPP, DSL, Cablemodems, etc.), you CANNOT load this strong ruleset upon booting. You
will either need to reload this firewall ruleset EVERY TIME you get a new IP
address or make your /etc/rc.d/rc.firewall-ipchains-stronger ruleset more
intelligent. To do this for various types of connections such as PPP or
DHCP users, please see the Section 7.8 FAQ entry for all
the details.

Please also be aware that there are several GUI Firewall
creation tools available as well. Please see Chapter 7for full
details.

Lastly, if you are using a STATIC PPP IP address, change the
"ppp_ip="your.static.PPP.address"" line to reflect your address.

To automatically start this stronger firewall ruleset at the proper time,
please see the end of the Section 3.4.3 section for
full details. Please make sure you make the correct "rc.firewall-ipfwadm" to
"rc.firewall-ipfwadm-stronger" substitutions!!

With IPFWADM, you can block traffic to a particular site using the -I, -O or -F
rules. Remember that the set of rules are scanned top to bottom and "-a" tells
IPFWADM to "append" this new rule to the existing set of rules. So with this in
mind, any specific restrictions need to come before global rules. For example:

Using -I (input ) rules:

Probably the fastest and most efficient method to block traffic but it only
stops the MASQed machines, and NOT the the firewall machine itself. Of course,
you might want to allow that combination.

There is no need for a special rule to allow machines on the 192.168.0.0/24
network to go to 204.50.11.0. Why? It is already covered by the global MASQ
rule.

NOTE: There is more than one way of coding the interfaces in the above rules.
For example instead of "-V 192.168.255.1" you can code "-W eth0", instead of
"-V $ppp_ip" , you can use "-W ppp0". The "-V" method was phased out with the
imgration to IPCHAINS, but for IPFWADM users, its more of a personal choice and
documentation.